Castellán

Given this growing threat, on September 25, 2024, Law No. 20,327 was enacted, known as the 'Cybercrime Law,' which seeks to strengthen the legal framework to prevent and punish these illicit behaviors. Nearly four months after its entry into force, it is pertinent to analyze its main provisions and the initial impact on the country's digital security.

1. Modernizing the legal framework.

 

The Cybercrime Law responds to the need to update a Penal Code that did not contemplate 'digital' crimes (committed through electronic or computer means). While Law No. 18,494 marked a first step by typifying some of these crimes, the new regulation significantly expands protection and aligns Uruguay with international standards, such as the Budapest Convention.

 

This treaty, adopted in 2001, is the main global reference for combating cybercrime. Although Uruguay is not yet an official member, in 2024 it was invited to join, a recognition of the country's progress in this area. Joining this convention would allow Uruguay to collaborate internationally to track and combat crimes such as computer fraud, unauthorized access to systems, and data theft, among others.

 

2. Main provisions of the Cybercrime Law.

 

The Cybercrime Law defines and sanctions various illicit behaviors related to digital criminality, establishing a comprehensive framework that covers both punitive measures (to be implemented according to the seriousness and impact on public or private order), as well as preventive and educational measures. Among its highlights, it includes promoting cybersecurity education campaigns, creating registers of cybercriminals, and specific powers for financial institutions to freeze funds in risky situations.

 

The law is organized into four fundamental pillars / chapters:

 

A. Typification of cybercrimes.

 

New crimes and aggravating factors are defined that address specific situations in the digital environment, such as:

 

- Cyberstalking: Use of digital means (internet, social networks, text messages, etc.) to pursue, monitor, or attempt to contact another person repeatedly, seriously affecting their daily life.

 

- Computer fraud: Occurs when electronic means are used to deceive a person and obtain an economic benefit at their expense. Common examples include unauthorized bank transfers or fraudulent use of credit cards.

 

- Computer damage: Occurs when someone destroys, alters, or disables computer systems with the intention of causing harm, such as deleting files, introducing viruses, or blocking access to critical systems.

 

- Unauthorized data access: Unauthorized entry into third-party computer systems to manipulate or disclose confidential information without consent.

 

- Illicit interception: When communications in transit on networks or computer systems are partially or completely intercepted, violating the right to privacy.

 

- Data breach: Occurs when a person - using technology - accesses, appropriates, uses, or modifies confidential information of third parties without their authorization.

 

- Identity theft: When someone falsely assumes the identity of another person or entity, using social networks, emails, bank accounts, or other digital platforms to access personal information and access credentials.

 

- Device abuse: Occurs when a person creates, acquires, imports, sells, or provides others with programs, credentials, or passwords designed to facilitate the commission of a crime.

 

B. Educational measures.

 

It obliges the State to promote national awareness campaigns on cybersecurity, integrating them into the public education system. These initiatives aim to educate a more prepared citizenship against digital risks.

 

C. Register of cybercriminals.

 

Authorizes the creation of registers managed by financial institutions and electronic money issuers to identify individuals involved in digital crimes and prevent fraudulent transactions. They may share this information with the corresponding jurisdictional authorities.

 

D. Prevention of unauthorized transactions.

 

Empowers financial institutions and electronic money issuers not to execute withdrawal or transfer orders from account holders or representatives when they have reliable knowledge that funds from third parties entered the accounts through transactions declared as unknown and unauthorized by the account holders of the originating funds.

 

3. Complementary rules

 

The Cybercrime Law does not act in isolation but is complemented by other legal instruments and national bodies that reinforce the fight against cybercrime and clarify the legal concepts it protects, among which are:

 

- Personal Data Protection Law (Law No. 18,331): Regulates the processing of personal data and establishes key measures to protect citizens' privacy in the digital environment. This is essential to prevent crimes related to the misuse of personal information, such as identity theft or fraud.

 

- Electronic Government and Information Society Agency (AGESIC): is the body responsible for overseeing compliance with data protection laws and plays an active role in preventing computer crimes. It also manages the National Center for Response to Computer Security Incidents (CERTuy), which coordinates the response to cyber incidents in the country.

 

- Money Laundering Law (Law No. 19,574): In the context of preventing economic and financial crimes, this law includes specific provisions for money laundering through digital channels, as cybercrime has become one of the most used methods to 'launder' illicit money.

 

Consolidating digital protection in Uruguay.

 

The Cybercrime Law marks a milestone in defending users' rights and protecting computer systems in Uruguay. This regulation not only modernizes the national legal framework but also aligns with international standards, establishing a solid foundation for more precisely sanctioning illicit behaviors in the digital realm.

 

Furthermore, it promotes cybersecurity training and the implementation of preventive measures aimed at reducing the commission of these crimes in the future. Its comprehensive approach promotes both the effective prosecution of cybercrimes and the education of citizens in safer use of technologies.

 

With this regulation, along with other legal instruments that reinforce the fight against cybercrime, Uruguay is moving towards the goal of consolidating a safe and reliable digital environment, facilitating access and the development of innovative technologies for the benefit of society as a whole.

 

* * *

 

Montevideo, January 28, 2025.